Latest revision as of 14:07, 2 May 2013

Description

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user's trust.

The page functionality can be tested by making the following GET request to the page:

http://127.0.0.1/vulnerable.php?name=test

By requesting the link below, the page renders the injected HTML, presents a login form, and comments out the rest of the page after the injection point. Once a user enters their username and password, the values are sent to a page named login.php on the attacker's server via POST.

Text Injection

Another example of a content spoofing attack would be to present false information to a user via text manipulation. An attack scenario is demonstrated below. For this scenario, lets assume proper output encoding HAS been implemented and XSS is not possible:

An attacker identifies a web application that gives recommendations to its users on whether they should buy or sell a particular stock

The attacker identifies a vulnerable parameter

The attacker crafts a malicious link by slightly modifying a valid request

The link containing the modified request is sent to a user and they clicks the link

A valid webpage is created using the attackers malicious recommendation and the user believes the recommendation was from the stock website